ARTEMIS-3102 throw more accurate exception when re-authentication fails

This commit is contained in:
Justin Bertram 2021-02-09 11:00:26 -06:00
parent e2bfeec53d
commit 1a149b9af4
1 changed files with 38 additions and 22 deletions

View File

@ -188,28 +188,7 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
// authentication failed, send a notification & throw an exception // authentication failed, send a notification & throw an exception
if (!userIsValid && validatedUser == null) { if (!userIsValid && validatedUser == null) {
String certSubjectDN = getCertSubjectDN(connection); authenticationFailed(user, connection);
if (notificationService != null) {
TypedProperties props = new TypedProperties();
props.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(user));
props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.toSimpleString(certSubjectDN));
props.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.toSimpleString(connection == null ? "null" : connection.getRemoteAddress()));
Notification notification = new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, props);
notificationService.sendNotification(notification);
}
Exception e = ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection == null ? "null" : connection.getRemoteAddress(), user, certSubjectDN);
ActiveMQServerLogger.LOGGER.securityProblemWhileAuthenticating(e.getMessage());
if (AuditLogger.isResourceLoggingEnabled()) {
AuditLogger.userFailedLoggedInAudit(subject, e.getMessage());
}
throw e;
} }
if (AuditLogger.isAnyLoggingEnabled() && connection != null) { if (AuditLogger.isAnyLoggingEnabled() && connection != null) {
@ -280,6 +259,18 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
final Boolean validated; final Boolean validated;
if (securityManager instanceof ActiveMQSecurityManager5) { if (securityManager instanceof ActiveMQSecurityManager5) {
Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager)); Subject subject = getSubjectForAuthorization(session, ((ActiveMQSecurityManager5) securityManager));
/**
* A user may authenticate successfully at first, but then later when their Subject is evicted from the
* local cache re-authentication may fail. This could happen, for example, if the user was removed
* from LDAP or the user's token expired.
*
* If the subject is null then authorization will *always* fail.
*/
if (subject == null) {
authenticationFailed(user, session.getRemotingConnection());
}
validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, fqqn != null ? fqqn.toString() : bareAddress.toString()); validated = ((ActiveMQSecurityManager5) securityManager).authorize(subject, roles, checkType, fqqn != null ? fqqn.toString() : bareAddress.toString());
} else if (securityManager instanceof ActiveMQSecurityManager4) { } else if (securityManager instanceof ActiveMQSecurityManager4) {
validated = ((ActiveMQSecurityManager4) securityManager).validateUserAndRole(user, session.getPassword(), roles, checkType, bareAddress.toString(), session.getRemotingConnection(), session.getSecurityDomain()) != null; validated = ((ActiveMQSecurityManager4) securityManager).validateUserAndRole(user, session.getPassword(), roles, checkType, bareAddress.toString(), session.getRemotingConnection(), session.getSecurityDomain()) != null;
@ -365,6 +356,31 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
return null; return null;
} }
private void authenticationFailed(String user, RemotingConnection connection) throws Exception {
String certSubjectDN = getCertSubjectDN(connection);
if (notificationService != null) {
TypedProperties props = new TypedProperties();
props.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(user));
props.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.toSimpleString(certSubjectDN));
props.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.toSimpleString(connection == null ? "null" : connection.getRemoteAddress()));
Notification notification = new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, props);
notificationService.sendNotification(notification);
}
Exception e = ActiveMQMessageBundle.BUNDLE.unableToValidateUser(connection == null ? "null" : connection.getRemoteAddress(), user, certSubjectDN);
ActiveMQServerLogger.LOGGER.securityProblemWhileAuthenticating(e.getMessage());
if (AuditLogger.isResourceLoggingEnabled()) {
AuditLogger.userFailedLoggedInAudit(null, e.getMessage());
}
throw e;
}
/** /**
* Get the cached Subject. If the Subject is not in the cache then authenticate again to retrieve it. * Get the cached Subject. If the Subject is not in the cache then authenticate again to retrieve it.
* *